First, what's a "duff cert" in this context? A cert issued by a CA in violation of its own policies (i.e., CP and CPS)? A cert issued by a CA to someone that the CA "should have known" might use it for fraudulent purposes? A cert issued by a CA to someone who turns out to use the cert in the context of fraudulent activity (whether the CA "should have known" this or not)? These are not really the same definitions. Which one did you (and Gerv) intend?
For my part, a "duff cert" is one which is used for fraudulent activity. That's a somewhat circular definition, indeed - but I wasn't thinking in terms of the risk or otherwise from the policy changes.
We're in essence saying that use of SSL in e-commerce and financial applications is our primary concern, that the risks associated with SSL in such applications require us to adopt as stringent a set of rules as we can, and that all other uses of SSL have to play by the same rules, whether they make sense in other contexts or not.
This rather falls out of the current binary security UI. (I should say that I'm very sceptical that it's possible to change that; this is merely an observation.)
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
